INTRODUCTION
Business logic may require that you selectively control who can send or receive Internet e-mail in a Microsoft Exchange Server 2003 organization or in a Microsoft Exchange 2000 Server organization. This article describes how to selectively prevent users from sending or receiving Internet e-mail in Exchange 2003 or in Exchange 2000.
MORE INFORMATION
Typically, all users who have mailboxes in an Exchange 2003 organization or in an Exchange 2000 organization can send and receive e-mail internally and externally. However, in several circumstances, business logic may require that certain users be restricted from sending or receiving e-mail outside the organization.

Prerequisites

The solution that this article describes does not apply to a single Exchange server deployment, but only to a scenario in which the following conditions are true:
• There are no user mailboxes on the SMTP gateway server
• The Sender Filter is enabled on all SMTP gateway servers.
For more information about delivery restrictions in a single-server deployment, click the following article number to view the article in the Microsoft Knowledge Base:
277872 (http://support.microsoft.com/kb/277872/) Connector delivery restrictions may not work correctly

How to restrict users

To prevent selected users from sending or receiving Internet e-mail, follow these steps:
1. Identify the respective mailboxes.
2. Use a recipient policy to stamp the mailboxes by using an invalid SMTP address.
3. Configure a Sender Filter in the Global Settings for Exchange.
Recipient policies cannot be applied to organizational units. Therefore, you must identify the individual mailboxes. To do this, you must add a keyword in the properties of the user object in the Active Directory directory service.

In the solution that this article describes, the Description field is used to include this keyword. The recipient policy will use a primary SMTP address that represents an invalid, nonexistent SMTP domain. This primary SMTP address is used to stamp the user objects that contain the chosen keyword in the Description field. All other SMTP addresses are removed in the properties of these users. Because these users are now configured to receive e-mail only from this invalid SMTP address, they cannot receive any Internet e-mail.

This invalid SMTP address is also used to prevent users from sending Internet e-mail by using the Sender Filter feature in Exchange.

To prevent users from receiving Internet e-mail

To prevent users from receiving Internet e-mail, follow these steps.Step 1: Add a keyword in the Description field of the user object
a. Start the Active Directory Users and Computers snap-in, and then connect to the appropriate domain controller.
b. Expand Your_Domain.Root_Domain.
c. Click the container that contains the user accounts that you want to restrict.
d. In the right-pane, press CTRL, and then click all the users whom you want to restrict.
e. Right-click one of the selected users, and then click Properties.
f. On the General tab, click to select the Description check box. The box to the right becomes active.
g. In the active box, type an appropriate descriptive term. For example, type Restricted.
h. Click OK.

Step 2: Add a new recipient policy

a. Start Exchange System Manager, and then connect to the appropriate Exchange server.
b. Expand Recipients, right-click Recipient Policies, point to New, and then click Recipient Policy.
c. Click to select the E-mail addresses check box, and then click OK.
d. In the Name box, type an appropriate name for the policy.
e. Click Modify, and then click the Advanced tab.
f. Click Field, point to User, and then click Description.
g. In the Condition box, click Is (exactly).
h. In the Value box, type the text that you added in the Description field in step 1g. For example, type Restricted.
i. Click Add, and then click Find Now. After the search is completed, click OK.
j. Click OK to accept the warning message.
k. Click the E-mail addresses (Policy) tab.
l. Click New, click SMTP Address, and then click OK.
m. In the Address box, type the at symbol (@) followed by an SMTP address that is not valid in the Domain Name System (DNS). For example, type @no.smtp.mail in the Address box.
n. Click to select the smtp check box in the new entry that you just added, and then click Set as Primary.
o. Click to clear all other smtp check boxes.

Note Do not click to clear the smtp check box for the newly added entry.

p. Click Yes in the warning message box.
q. Start the Active Directory Users and Computers snap-in.
r. In the properties of one of the selected users, verify that the E-mail box contains the newly added SMTP address. For example, the E-mail box should contain the following address:
user1@no.smtp.mail
s. Click the E-mail addresses tab.
t. Remove all valid SMTP addresses from the E-mail addresses list, and then click OK.
u. Repeat steps 2r through 2t for other users as appropriate for your situation.

To prevent users from sending Internet e-mail

1. Start Exchange System Manager.
2. Expand Global Settings, right-click Message Delivery, and then click Properties.
3. Click the Sender Filtering tab, and then click Add.
4. In the Sender box, type the at symbol (@) followed by the invalid SMTP address that you added in the new recipient policy. For example, type @no.smtp.mail.
5. Click OK two times.
6. In Exchange System Manager, expand Administrative Groups, expand Your_Administrative_Group, and then expand Servers.
7. Expand the Server_Name object that represents the SMTP gateway server to the Internet.
8. Expand Protocols, expand SMTP, right-click the Default SMTP Virtual Server, and then click Properties.
9. On the General tab, click Advanced.
10. In the Address list, click the required IP address entry, and then click Edit.
11. Click to select the Apply Sender Filter check box, and then click OK three times.
12. Repeat steps 7 through 11 on all other SMTP gateway servers as appropriate for your situation.
13. Exit Exchange System Manager.